GDPR Privacy Notice

Last Updated: July 20, 2023

This EEA/UK/ Switzerland Privacy Notice (“Notice”) explains how Inform Diagnostics, Inc., (“Inform,” “we,” or “us”) complies with certain privacy rights specifically available to individuals (collectively, “European Residents”) located in the European Economic Area (inclusive of the European Union) (“EEA”), United Kingdom (“UK”), or Switzerland (collectively, “Designated Countries”).

1.Scope

This Notice applies solely to European Residents located in the Designated Countries at the time of data collection. We may ask you to identify which country you are located in when you use some of our services; or we may rely on your IP address to identify which country you are located in. Where we rely only on your IP address, we cannot apply the terms of this Notice to any User or Customer that masks or otherwise obfuscates their location information. If any terms in this Notice conflict with other terms contained in our Privacy Policy, the terms in this Notice shall apply to users in the Designated Countries. This Notice is supplemental to our Privacy Notice and Terms and Conditions.

2.Our Relationship to You
Under the GDPR, a “controller” is an entity that determines the purposes for which and the manner in which any personal information is processed. A “processor” is an entity that processes personal information on behalf of a controller.

Inform may act as a “controller” in very limited circumstances with respect to your personal information. For example, if you are an employee or an independent contractor who is a European Resident, and Inform collects your personal data, Inform is a controller of such data. Likewise, to the extent a provider enters personal information into our Provider Portal or Patient Portal on our Website, Inform may be legally deemed a controller as to the information that a provider enters directly into the Website about themselves or their patients. However, at this time, Inform does not offer services to European Residents, does not have offices or locations in the Designated Areas, and does not make its Website Services generally available to consumers from the Designated Areas.

3.Lawful Bases for Processing Your Personal Information
We process personal information on the following legal bases: (1) with your consent, per an informed consent form from your provider; (2) as necessary to fulfill our legal obligations or contractual obligations to provide Services; and (3) as necessary for our legitimate interests in providing the Services where those interests do not override your fundamental rights and freedoms related to data privacy. To the extent that any de-identified data is anonymized, it is not considered personal data and falls outside applicable privacy laws.

4.Marketing Activities
Direct marketing includes any communications we send to you that are only based on advertising or promoting products and services. Transactional communications about your account or our Services are not considered “direct marketing” communications. We will only contact patients or providers by electronic means (including email or SMS) based on our legitimate interest or their consent. If you do not want us to use your personal information in this way, please click an unsubscribe link in your emails, or contact us at privacy@InformDx.com.

5.Privacy Rights

  • We provide you with the rights described below when you use our Services. When we receive an individual rights request from you, please make sure you are ready to verify your identity. Please be advised that there are limitations to your individual rights. We may limit your individual rights in the following ways: (i) where denial of access is required or authorized by law; (ii) when granting access would have a negative impact on other’s privacy; (iii) to protect our rights and properties; and (iv) where the request is frivolous or burdensome. If you have questions, if you would like to exercise your rights under the applicable law, please contact us at privacy@InformDX.com.
  • Right to withdraw consent. If we rely on consent to process your personal information, you have the right to withdraw your consent at any time. A withdrawal of consent will not affect the lawfulness of our processing or the processing of any third parties based on consent before your withdrawal.
  • Right of access and rectification. If you request a copy of your personal information that we hold, we will provide you with a copy without undue delay and free of charge, except where we are permitted by law to charge a fee. We may limit your access if such access would adversely affect the rights and freedoms of other individuals. You may request to correct or update any of your personal information held by us, unless you can already do so directly via the Services.
  • Right to erasure (the “right to be forgotten”). You may request us to erase any of your personal information held by us that: is no longer necessary in relation to the purposes for which it was collected or otherwise processed; was collected in relation to processing that you previously consented to, but later withdrew such consent; or was collected in relation to processing activities to which you object, and there are no overriding legitimate grounds for our processing.
  • Right to object to processing. You may object to our processing at any time and as permitted by applicable law if we process your personal information on the legal basis of consent, contract, or legitimate interests. We can continue to process your personal information if it is necessary for the defense of legal claims, or under any other exceptions permitted by applicable law.
  • Right to restriction. You have the right to restrict our processing of your personal information where one of the following applies:
    • You contest the accuracy of your personal information that we processed. In such cases, we will restrict the processing of your personal information, which may result in an interruption of some or all of the Services, during the period necessary for us to verify the accuracy of your personal information.
    • The processing is unlawful, and you oppose the erasure of your personal information and request the restriction of its use instead.
    • We no longer need your personal information for the purposes of the processing, but it is required by you to establish, exercise, or defend legal claims.
    • You have objected to processing, pending the verification of whether the legitimate grounds of our processing override your rights. In such cases, we will only process your restricted personal information with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. We will inform you if or when the restriction is lifted.
  • Right to data portability. If we process your personal information based on a contract with you or based on your consent, or the processing is carried out by automated means, you may request to receive your personal information in a structured, commonly used, and machine-readable format, and to have us transfer your personal information directly to another “controller,” where technically feasible, unless exercise of this right adversely affects the rights and freedoms of others.
  • Notification to third parties. If we share your personal information with third parties, we will notify them of any requests for rectification, erasure, or restriction of your personal information, unless this proves impossible or involves disproportionate effort.

The rights described above may be limited by local laws. Further, your right of access and deletion is not absolute and may not be available if fulfillment of such right would, among other things:

  • Cause interference with execution and enforcement of the law and legal private rights (such as in the case of the investigation or detection of legal claims or the right to a fair trial).
  • Breach or prejudice the rights of confidentiality and security of others.
  • Prejudice security or grievance investigations, corporate re-organizations, future and ongoing negotiations with third parties, the compliance with regulatory requirements relating to economic and financial management.
  • Otherwise violate the interests of others or where the burden or cost of providing access would be disproportionate.

6.International Data Transfers

When information of European Residents is transferred from the Designated Region to our laboratories in the United States, when legally required, we take measures aimed to provide the appropriate level of data protection, including ensuring that such transfers are governed by the Standard Contractual Clauses or other similar applicable and legally acceptable mechanisms.

7.Complaints or Questions

If you believe we have infringed or violated your privacy rights, please contact us, so that we can work to resolve your concerns: privacy@InformDx.com.

You may also contact our EU Representative, DataRep, here.

You also have a right to lodge a complaint with a competent supervisory authority situated in a Member State of your habitual residence, place of work, or place of alleged infringement. Relevant contact details can be found here for the EEA, here for the UK, and here for Switzerland.